Smart Phone + Mail Server = Location Tracking

My last two posts have touched on the privacy perspective in relation tomobile applications. This post continues on with that privacy theme, howeverlooking at the smart phone itself and how the constant polling to a mail servercan reveal your location and activity.

I was looking through my mail server logs for a specific entry, glancingover the usual brute force login attempts and those from successful users whenit dawned on me how useful this information is. Forget what I was looking forinitially, this is much more interesting.

So smart phones, you got to love them. They allow you to grab youre-mail from anywhere. Most mail settings are setup to "fetch" (orpoll) IMAP/POP3 mail servers every 5-15 minutes. This polling reminds me of aninfected host calling home to a botnet command and control server reporting itsIP address. Now what is interesting about this is when you think of the pollingelement and its potential for tracking purposes. A smart phone is usuallyalways on you so reflects where you are. Forget "Find my iPhone" and all thatfor a moment - that requires permission. Although the geo-location way oftracking people's locations that I'm about to discuss is not new, I'm lookingat it from another perspective – a mobile one.

It is possible to use mail server logs and polling from a smart phone todetermine a user's activity and ultimately track their location.

Fetch-iphone

Let me give you some background.

When you access data from your smart phone over a cellular network youuse your mobile network operator as a gateway. For example, if I access my webserver from my phone right now (using 3G) then 86.176.X.X will show up in thelog files. This IP address belongs to "O2Online" which would make sense,as my mobile operator is O2.

Makes sense right?

Now most people have their smart phones jump on their wireless networkwhen they get home, namely to save on data usage and because it's faster. If Inow reload my web server's page on my smart phone my broadband IP address isshown - 86.140.X.X for the purposes of this post. My ISP British Telecom (BT) ownsthis IP address (BT-CENTRAL-PLUS).

So in my case, when the phone is out of the house it uses O2, when at home,BT. I also have a whole bag of preferred wireless networks which my smart phonecould jump onto (karmametasploit… but that's another story).

Now where in the world am I going with this?

Recall back to the start of this post where I stated smart phone mailclients would poll typically every 5-15 minutes to check for new messages. If Iam able to read mail server log files (either through a compromise or malicioussystem administrator) then I can determine movements and ultimately a user's location.I look up all the IP addresses that the user is connecting from and can easilysee which is the cellular IP and which is the broadband IP. Now I can tellwhether the user is at home or not. I can also add to these locations based onadditional wireless access points the smart phone connects to.

Let me show you a case study I carried out. The results are quiteinteresting.

A user, let's call him Winston, is followed over roughly a 5 day period,purely from analysing mail logs. Here is a snippet of his entries from/var/log/maillog. Beside each of them I have determined if he is at home or not(e.g. = HOME/NOT HOME) based on the IP address owner.

Sep 16 11:52:21 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 11:52:54 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 12:23:40 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 13:24:38 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 13:25:13 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 14:27:37 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 15:39:58 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 16:40:32 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 17:42:23 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 18:47:08 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 18:47:42 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 19:48:13 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 21:51:16 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 21:51:51 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 22:52:30 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 16 23:53:05 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

Sep 16 23:53:48 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME

Sep 17 08:13:55 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME

---CUT FOR BREVITY---

Let's look at the graph below, as it is more interesting than a load oflog entries. I am aware it looks like piano keys, but bear with me.

Iphone-activity

(A) On 16th September you can see the smart phone check infrom the user's broadband and mobile network. This is a Sunday so no doubtWinston was going about his leisurely business.

(B) On 17th September, a Monday no less, you can see thatWinston is at work due to not being at home between the hours of 9-5. However, heappears to be running a little late as he is still at home at 09.06. Winstonwalks through his front door at 17:04.

(C) At 19:59 his smart phone checks e-mail from a pub's wireless hotspot– this is highlighted as number 2 on the graph. It flicks between the mobilenetwork and the wireless (pub/not home) during his time there. I'm guessing causedby going out of the wireless hotspot range – cigarette breaks? At 23:34 he isback home.

(D) The same happens again on Tuesday 18th September – he isout most of the day, as you'd expect for a working week. However, Winstonleaves the house a little earlier this time at 08:08. Home again at 17:02, likeclockwork.

(E) Wednesday 19th September, 07:42 leaves home. 17:06 backhome.

(F) Thursday 20th September, 08:05 leaves home. 16:40 backhome, an early one!

Your mail server logs reveal a wealth of information about you. So doweb server logs also, right? However, the constant predictable polling (fetch) thatmobile mail clients carry out make it possible to get constant updates ofactivity/location unlike the odd web server request. I'm also not able to trackyou as easily through web server logs, whereas you supply a username when youlog into the mail server so I know right away.

Not keen on your activity/location being tracked via your mail server?Turn off wireless on your smart phone so that mail is always accessed over yourmobile network operator's gateway. A little extreme some may say, but if youvalue your privacy then this is something to explore. One would hope that employersare behaving ethically and wouldn't use this type of information to thedetriment of employees.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.